I.  A General Review of Laws Governing Electronic Privacy Rights
A. Federal Statutes: the Wiretap Act and the Stored Communications Act
Two federal statutes protect electronic communications: the Federal Omnibus Crime Control and Safe Streets Act of 1968, also known as the Wiretap Act, which focuses on electronic communications during transmission, and the Stored Communications Act, which focuses on electronic communications after transmission. Both statutes provide criminal penalties and civil remedies against violations.

The Electronic Communications Privacy Act ("ECPA") of 1986 amended the Wiretap Act, Title 18 United States Code section 2510, et. Seq. ("the Wiretap Act"). It prohibits intentional interception of electronic communications and disclosure or use of intercepted electronic communication. The Wiretap Act protects electronic communications during transmission, and before the electronic communication is opened and stored. (See 18 U.S.C § 2511(1).)

Two exceptions to the Wiretap Act may apply to employers. The first is a "business exception" that allows operators of communication service providers to monitor the use of their equipment in the ordinary course of business for purposes of protecting their rights and property. In other words, an employer that hosts its own e-mail service may monitor employee activity on its server.

Second, the Wiretap Act does not apply where a party to the electronic communication has consented to the interception. Thus, an employer who gives employees notice that their electronic communications are subject to monitoring, and has obtained each employee’s written consent to monitoring through a signed acknowledgment of the employer’s computer and electronic communications policy, has greatly insulated itself against potential liability.

The ECPA also created the Stored Communications Act ("SCA"), which prohibits intentional and unauthorized access of a facility providing electronic communication service to obtain "access to a wire or electronic communication while it is in electronic storage in such system." (18 U.S.C. § 2701(a)(1).) Essentially, the SCA protects e-mail in electronic storage with a third party such as a web e-mail service. If the employer hosts its own electronic communications service, it may monitor stored records of e-mail and Internet use on its server if it has a reasonable basis for doing so. Examples of reasonable grounds include addressing security concerns, maintenance of the system, and suspected abuse.

B. Electronic Privacy Protections under California Law
California’s legislature enacted Penal Code section 502 in recognition that "the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data." (Penal Code § 502(a).) Section 502 protects computer systems, data, the privacy of individuals and "the well-being of financial institutions, business concerns, governmental agencies, and others." (Id.) It prohibits, in pertinent part, the unauthorized use, copying, damage, interference, and access to lawfully created computer data and computer systems from an internal or external computer or network. The statute provides both criminal and civil remedies. Section 502 explicitly excludes individuals who access their employer's computer systems or data when acting within the scope of their lawful employment. However, the statute does not include similar language protecting the employer from liability. Because the statute only applies to "unauthorized" conduct, the employer may avoid liability under section 502 by obtaining the employee’s written acknowledgement and consent to employer monitoring.

The California Privacy Act ("CPA") prohibits the willful attempt to learn the contents or meaning of communications in transit over a wire. (Penal Code § 631.) As with the federal Wiretap Act, the California Privacy Act only applies to communications during transmission; once an individual receives the communication, the CPA no longer protects it. The consent exception to CPA goes beyond that of the Federal Wiretap Act because it requires the consent of "all parties to the communication."

While courts have not applied California's computer and wiretap protections to computer monitoring in the workplace, California courts would likely test challenges to an employer's monitoring of employee electronic communications by testing whether the employee has "a reasonable expectation of privacy" in the electronic communication in question. In TBG Insurance Servs Co. v. Superior Court of Los Angeles County (2002) 96 Cal.App.4th 443, an employer dismissed an employee for violating the company's computer policy by repeatedly accessing pornographic Internet sites while at work. The employee filed a wrongful termination action against the employer. During the litigation, the employee argued that the employer did not have the right to inspect an employer-owned computer the employee had primarily used at home for personal purposes. The employee reasoned that the computer contained significant personal information, including tax information and family correspondence, that was subject to his right of privacy under California’s constitution. The Court of Appeal ruled in favor of the employer holding that the employee did not have a reasonable expectation of privacy because he consented to the employer’s monitoring of his computer activities by signing the employer’s computer use policy.

II. Recommendations for Employer Policies and Practices on Employee Use of Computer and Electronic Communication Tools
The TBG Insurance case is the only case published by California courts that addresses the issue of the employer's right to monitor and inspect employee electronic activities on employer computers. Because the reasoning of the court was based on the employee’s written consent to monitoring of the employer’s computers and system, a number of steps are essential. Required steps include the following:

• The employer should establish a written computer and electronic communications policy that clearly informs employees that electronic communications are to be used solely for legitimate business purposes and that they are subject to employer monitoring.
   
• If the employer wishes to permit personal use of its e-mail system, the policy should specify the terms and conditions of such use (e.g., only incidental use and only when such use avoids interference with the employer’s business, its computer resources, and the employee’s work obligations.)
   
• The policy should inform employees that they have no an expectation of privacy in their electronic communications and use of the employer’s electronic resources. The employer should also inform employees that under certain circumstances electronic communication must be disclosed to the public, or in case of litigation, those communications may have to be produced to a third party.
   
• The policy should notify employees that the employer may conduct routine maintenance and monitoring of its computer and electronic resources.
   
• All employees should sign a statement acknowledging that they have read and understood the employer’s computer and electronic communications policy.
   
• The employer should issue employees passwords for security purposes. In doing so, the employer should instruct employees not to share their passwords with other employees. Importantly, the employer should ensure that employees understand that the purpose of the passwords is to protect the employer’s proprietary and confidential information.
   
• The employer should inform all employees that they are responsible for ensuring that they shut down their workstation at the end of their workday. This will prevent use of the workstation by an unauthorized user.
   
• Employers are vulnerable to liability for harassment and discrimination claims when employees access, display or circulate inappropriate images, jokes, and/or text with racial, sexual, or offensive content. The employer should thus incorporate by reference its anti discrimination and harassment policy into its computer and electronic communications policy.
   
• Employers should consider using computer software to block access to inappropriate web sites such as those dedicated to pornography or adult content.
   
• Employers should consider blocking access to web based e-mail sites such as Hotmail or Yahoo. If the employer allows employees to access web based personal e-mail, the employer should ensure that employees understand that e-mail employees access, send, or receive using the employer’s computer or server is subject to employer monitoring. Importantly, the employer’s right to monitor or access the employee’s web based e-mail is limited to communications on its server.
   
• Employers who monitor inappropriate employee e-mail or Internet activity, such as employee access to pornographic web sites or distribution of harassing or offensive material, should actively enforce their policies. An employer who has knowledge of such activity but ignores it, exposes itself to liability for discrimination or harassment claims.